I had Wikipedia and Facebook open in separate tabs. NoScript cripples both, so I allow Wikipedia free reign and enable Facebook every time I log in. Just now I clicked a Wikipedia internal link and a piece of javascript on facebook kicked off briefly, its ID flicking up in the tab for the facebook page I had open. It doesn't seem to be repeatable. Was that some facebook spyware running in my browser or was it just a coincidence?

Possibly related though I don't see how, in the NoScript options XSS tab there is a list of anti-XSS protection exceptions, i.e. XSS scripts that NoScript allows. At present I have listed: